Description:

To help with setting up multiple similar VPN connections (e.g. several devices connecting to the same local network), templates can be created in the configuration of the LANCOM R&S®Unified Firewall to save you having to manually enter the same parameters many times over.

Furthermore, you can save dedicated encryption and authentication parameters to the security profiles (for example for particular VPN clients or VPN routers).

When the user creates a VPN connection, using a template loads the stored parameters automatically.


Requirements:

  • LANCOM R&S®Unified Firewall as of LCOS FX version 10.4
  • Web browser for configuring the LANCOM R&S®Unified Firewall

    The following browsers are supported:
    • Google Chrome
    • Chromium
    • Mozilla Firefox


Procedure:

1) Security profiles:

1.1) Open the configuration interface of the LANCOM R&S®Unified Firewall in your browser and go to the menu VPN → IPSec → Security Profiles. Click on the “+” icon to create a new security profile.

1.2) On the ISAKMP (IKE) tab, adjust the following parameters:

  • Name: Enter a descriptive name.
  • IKE Version: Select the required IKE version.
  • Encryption Algorithms:Choose one or more encryption algorithms.
  • Authentication Algorithms: Choose one or more authentication algorithms.
  • DH groups: Select the required DH group
  • SA Lifetime:  Enter the lifetime for Phase 1 (IKE).

The maximum SA Lifetime is 86400 seconds (1 day).

1.3) Change to the IPSec (ESP) tab and modify the following parameters:

  • Encryption Algorithms: Select one or more encryption algorithms.
  • Authentication Algorithms: Choose one or more authentication algorithms.
  • DH Groups (PFS): Select the required DH group
  • SA Lifetime:  Enter the lifetime for Phase 2 (IPSec).

The maximum SA Lifetime is 86400 seconds (1 day).



2) Templates:

Not all of the fields need to be filled out. The only fields to be filled out should be the ones that are identical for multiple VPN connections. 

2.1) Navigate to the menu VPN → IPSec → Templates and click on the “+” icon to create a new template.

2.2) On the Connection tab, modify the following parameters:

  • Name: Enter a descriptive name.
  • Security Profile: From the drop-down menu, select the profile created in step 1, or any other security profile.
  • Connection: Use the drop-down menu to select the Internet connection.

Note:
If the Unified Firewall should establish the VPN connection and/or use NAT-traversal, set the required check mark(s) as appropriate.

2.3) Change to the Tunnels tab and modify the following parameters:

  • Local Networks: Enter the local network of the Unified Firewall in CIDR notation (Classless Inter Domain Routing) and click on the “+” icon to add it. If necessary, repeat this step for additional networks.
  • Virtual IP Pool: When creating a template for VPN clients, select an IP pool from the drop-down menu (either the default virtual IP pool or one of your own IP pools).

Note:
When creating a template for a site-to-site VPN connection, the virtual IP pool is not required. In this case, leave the field empty. 

2.4) Change to the Authentication tab and adjust the following parameters as necessary:

This case shows a VPN dial-in using a certificate and authentication per XAUTH. Since all VPN clients use the same certificate, all of the parameters can be saved to the template.

Important:
VPN dial-in with a certificate and authentication via XAUTH only works with IKEv1! 

Note:
If you use a preshared key, for security reasons you should not use the same preshared key for more than one VPN connection.